From: Guenter Roeck <linux@roeck-us.net>
To: Jean Delvare <jdelvare@suse.de>
Cc: Hardware Monitoring <linux-hwmon@vger.kernel.org>
Subject: Re: [PATCH 17/17] hwmon: (gl520sm) Fix overflows seen when writing into limit attributes
Date: Tue, 13 Dec 2016 06:49:22 -0800 [thread overview]
Message-ID: <e1fc986c-a0ca-93bb-f9b0-d4103f18feb4@roeck-us.net> (raw)
In-Reply-To: <20161213105642.1fa8de57@endymion>
On 12/13/2016 01:56 AM, Jean Delvare wrote:
> On Sun, 4 Dec 2016 20:55:40 -0800, Guenter Roeck wrote:
>> Writes into limit attributes can overflow due to multplications
>> and additions with unbound input values.
>>
>> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
>> ---
>> drivers/hwmon/gl520sm.c | 9 +++++----
>> 1 file changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/hwmon/gl520sm.c b/drivers/hwmon/gl520sm.c
>> index dee93ec87d02..4bb37d7234b1 100644
>> --- a/drivers/hwmon/gl520sm.c
>> +++ b/drivers/hwmon/gl520sm.c
>> @@ -209,10 +209,11 @@ static ssize_t get_cpu_vid(struct device *dev, struct device_attribute *attr,
>> static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL);
>>
>> #define VDD_FROM_REG(val) (((val) * 95 + 2) / 4)
>> -#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255)
>> +#define VDD_TO_REG(val) \
>> + DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 95 / 4) * 4, 95)
>>
>> #define IN_FROM_REG(val) ((val) * 19)
>> -#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255)
>> +#define IN_TO_REG(val) DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 19), 19)
>>
>> static ssize_t get_in_input(struct device *dev, struct device_attribute *attr,
>> char *buf)
>> @@ -514,8 +515,8 @@ static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR,
>> get_fan_off, set_fan_off);
>>
>> #define TEMP_FROM_REG(val) (((val) - 130) * 1000)
>> -#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \
>> - (val) - 500 : (val) + 500) / 1000) + 130), 0, 255)
>> +#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(clamp_val(val, -130000, 125000), \
>> + 1000) + 130)
>>
>> static ssize_t get_temp_input(struct device *dev, struct device_attribute *attr,
>> char *buf)
>
> Reviewed-by: Jean Delvare <jdelvare@suse.de>
>
> But I think FAN_TO_REG can overflow too? Input value is left-shifted
> without a prior check.
>
You are right. My older script didn't detect that because the overflow happens
with a very low value, and the script just concluded that the value range was [0,0].
After improving my test script, the driver generates KASAN bad memory reports.
Outch. I'll have to look into that.
Thanks,
Guenter
next prev parent reply other threads:[~2016-12-13 14:49 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 4:55 [PATCH 01/17] hwmon: (adm9240) Fix overflows seen when writing into limit attributes Guenter Roeck
2016-12-05 4:55 ` [PATCH 02/17] hwmon: (ds620) Fix overflows seen when writing temperature limits Guenter Roeck
2016-12-08 13:47 ` Jean Delvare
2016-12-05 4:55 ` [PATCH 03/17] hwmon: (lm93) Fix overflows seen when writing into limit attributes Guenter Roeck
2016-12-13 14:01 ` Jean Delvare
2016-12-13 14:52 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 04/17] hwmon: (smsc47m192) " Guenter Roeck
2016-12-08 13:57 ` Jean Delvare
2016-12-08 19:24 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 05/17] hwmon: (adm1025) Fix overflows seen when writing voltage limits Guenter Roeck
2016-12-08 14:04 ` Jean Delvare
2016-12-05 4:55 ` [PATCH 06/17] hwmon: (adm1026) Fix overflows seen when writing into limit attributes Guenter Roeck
2016-12-08 14:33 ` Jean Delvare
2016-12-08 15:34 ` Guenter Roeck
2016-12-09 9:29 ` Jean Delvare
2016-12-05 4:55 ` [PATCH 07/17] hwmon: (adt7462) " Guenter Roeck
2016-12-08 15:08 ` Jean Delvare
2016-12-05 4:55 ` [PATCH 08/17] hwmon: (adt7470) " Guenter Roeck
2016-12-08 15:14 ` Jean Delvare
2016-12-08 18:14 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 09/17] hwmon: (nct7802) " Guenter Roeck
2016-12-09 9:49 ` Jean Delvare
2016-12-09 14:22 ` Guenter Roeck
2016-12-09 15:25 ` Jean Delvare
2016-12-09 18:11 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 10/17] hwmon: (lm87) Fix overflow seen when writing voltage " Guenter Roeck
2016-12-09 15:07 ` Jean Delvare
2016-12-05 4:55 ` [PATCH 11/17] hwmon: (lm85) Fix overflows " Guenter Roeck
2016-12-09 16:07 ` Jean Delvare
2016-12-05 4:55 ` [PATCH 12/17] hwmon: (dme1737) Fix overflows seen when writing into " Guenter Roeck
2016-12-12 9:33 ` Jean Delvare
2016-12-12 14:21 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 13/17] hwmon: (emc2103) Fix overflows seen when temperature " Guenter Roeck
2016-12-12 10:44 ` Jean Delvare
2016-12-05 4:55 ` [PATCH 14/17] hwmon: (emcw201) Fix overflows seen when writing into " Guenter Roeck
2016-12-12 10:48 ` Jean Delvare
2016-12-12 14:23 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 15/17] hwmln: (g762) Fix overflows and crash seen when writing " Guenter Roeck
2016-12-12 11:14 ` Jean Delvare
2016-12-12 14:19 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 16/17] hwmon: (gl518sm) Fix overflows seen when writing into " Guenter Roeck
2016-12-13 9:48 ` Jean Delvare
2016-12-13 21:56 ` Guenter Roeck
2016-12-05 4:55 ` [PATCH 17/17] hwmon: (gl520sm) " Guenter Roeck
2016-12-13 9:56 ` Jean Delvare
2016-12-13 14:49 ` Guenter Roeck [this message]
2016-12-08 13:29 ` [PATCH 01/17] hwmon: (adm9240) " Jean Delvare
2016-12-08 15:18 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1fc986c-a0ca-93bb-f9b0-d4103f18feb4@roeck-us.net \
--to=linux@roeck-us.net \
--cc=jdelvare@suse.de \
--cc=linux-hwmon@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).